PEPS: Future of E-Payments in Pakistan

by
Hammad Mushtaq

Author Profile
MS Computing (National University of Singapore) working as Assistant
Professor at Government College University Lahore.

Introduction

New developments in the commerce industry have originated a

need to devise innovative mechanisms to support such systems. In
Pakistan specifically payment system should be diverse and generally
acceptable, that is why there is strong need to build a system which is
robust and targeted no matter if it is a combination of sub systems.
The purposed payment system PEPS (Pakistan’s Electronic
Payment System) is inspired from the PRISM1 payment system which
globally used referenced as real time gross settlement. For this
purpose a detailed review of electronic payment initiatives taken by
the Pakistan banking authorities was conducted. The systems are quite
modern and require to be implemented across the banking sector. The
PEPS is best suited as it shall be regulated by State Bank and has the
reliability factor for both payer and merchant. This will facilitate all the
bank account holders using online PEPS based transfer of funds which
is based on probabilistic approach making it more suitable for the
online businesses. Considering the wide variety of usage Macro
payments are more suitable candidate for PEPS. However considering
the specific nature of micro payments the recommended system which
is to be internally handled but seamlessly integrated by the banks is
recommended. Security mechanism like dual signature and 2FA will not

1
PRISM - Pakistan Real-time Inter-bank Settlement Mechanism
PEPS a Payment Solution for E-Payments in Pakistan
by
Hammad Mushtaq
only reduce the transaction security threats but will also increase the
trust of people about the secure electronic transactions.

PEPS a Payment Solution for E-Payments in Pakistan

by
Hammad Mushtaq
PEPS: Technical description of proposed solution

Considering the specific situation in Pakistan where general

people are not welcoming new ways of payments which is a global
phenomenon as people does not accept changes in their practices.
Also plastic cards facility is available to limited people who are also not
inclined towards using this over the internet due to the security
threats. Considering the aptitude of general people regarding
electronic payments system the purposed system must have general
acceptance to all the stakeholders. Following to this scenario the
merchants and online businesses are less attracted to adopt these new
payment systems due to the limited number of customer willing to pay
through such facilities. However inter bank funds transfer is a safe and
easy way that will be generally accepted by both critical stake holders
of the transaction that is buyer and merchants.

The purposed payment system PEPS (Pakistan’s Electronic Payment

System) is inspired from the PRISM payment system which globally
used referenced as real time gross settlement. The reason for choosing
PRISM as a base that it will be a relatively cheaper solution on top of
that it will be highly acceptable for situation in Pakistan offering more
transparency for transactions. Also this will cover the issues of
anonymity and overspending. This system supported by internet
banking can be very well established from within the banking sector
provided it is regulated through State Bank. Currently these systems
have been advised by the state bank but no tangible implementation is
noticed in the literature review. Assuming that the banking sector
switches to systems like PRISM and SWIFT the PEPS will work on top of
these systems.

PEPS Made Simple

PEPS a Payment Solution for E-Payments in Pakistan

by
Hammad Mushtaq
 The process of PEPS will be very simple customers who are
shopping on PEPS supported website will fill their shopping cart and
switch to PEPS payment option available on the website and choose
their relevant bank from the list. This step will take the customers to
their relevant bank’s website. After logging in the usual way they shall
receive automatic prompt for authorization of the bill sent by the
merchant’s portal. On authorization of customer about the bill
customer’s bank shall confirm the successful transaction and relay it
back to the merchant.

2
Figure 1.0- PEPS based on Debit Transaction

PEPS Pros

This is very useful in many ways supporting anonymity of

customer to the merchant because customer does not need to supply
its account information to the merchant as in the case of plastic cards.
On the other hand the merchant is not exposed to the fraud risks
associated with accepting credit cards online and generally pays lower
merchant fees as compared to the plastic cards.

2
Source: Markus Schneider [Electronic Payment System]

PEPS a Payment Solution for E-Payments in Pakistan

by
Hammad Mushtaq
Technical Details

PEPS will be regulated by SBP so that banking sector is bound to

offer online payment interfacing with the merchant websites. The
merchant’s websites should be integrated with PEPS system as each
new E-Business has to get itself registered with one of the banks
offering PEPS. On the other hand customers need to have bank
account and sign up for the PEPS system by giving their consent to the
bank of transfer of funds on request and to keep by the principles of
PEPS. Pakistanis living outside Pakistan shall signup for a local bank
account with PEPS services so that they can transfer there funds from
their housed country to the home bank.
These principles should be devised and communicated to the
customers/merchants registered to use PEPS. This will enable local
payment to be independent of the payer’s bank from the merchant’s
bank. The transaction information should be generalized so that it is
interfaced between different banks involved in the transaction. Also
the same format of transaction shall be understandable by the
merchant portal. The order information description identifies order
details at the merchant it also contains response to merchant
challenge so to counter the dictionary attacks random information may
be added. Other information includes Payment details like account
data, purchase amount, hash of order and transaction id should be
encrypted separately before any further communication using the
Bank’s public key so that merchant portal cannot read it.
At the customer level to increase security 2FA (Second Factor
Authentication) is getting really popular in the field of Internet banking
where customers are given a iBanking device for second level of
authentication is really handy see details in security section.

PEPS Security:
PEPS a Payment Solution for E-Payments in Pakistan
by
Hammad Mushtaq
 Traditional internet security mechanisms can be used as a
normal E-Banking website however banks needs to develop secured
tunnels between the concerned bank (if merchant bank is different
from the payer bank). AES, SSL enabled website will ensure the digital
transfer of information to the original participants of the transaction
only.
For securing electronic transaction between merchant portals and E-
Bank websites appropriate encryption standards should be followed.
The special PKI using public and private key cryptosystems will be
useful to make this encryption more complex three volume
specification can be used to further safe guard transactions from major
risks like black hat attacks etc. In this regard newer mechanisms can
also be considered by devising customized encryption techniques
considering the troika of customers, merchant and payment authorities
or simply banks involved in the transaction.

Transacti
on

Parsin

Internal For
Bank Merchant

Hash Hash
Dual
Signatu
Digest 1 Digest 2 Hash Hash
re

Figure 2.0 – Dual Signature

Another popular mechanism for ensuring banks internal transfer and

third party of merchant portal can be dual signatures. The mechanism
is useful in this situation when “A” wants to send Message1 to “B” and
Message 2 to “C” and ensure that both B and C that the respective
other message exists. Using Digest and hash keys it is useful when
PEPS a Payment Solution for E-Payments in Pakistan
by
Hammad Mushtaq
segregation of transfer information is needed as discussed earlier that
the Anonymity factor will remain a merit for customer in PEPS system
where its personal account information will not be disclosed to the
merchant. Figure 2.0 is useful to understand the Dual Signature
mechanism.

Other recommended security mechanism is 2FA (Second Factor

Authentication) which is to provide customers some tangibility that
banks internal system in being involved in the transaction and there is
no fake communication going on. The 2FA has its name on because it
supports two levels of authentication first one is what commonly in use
and practice PIN authentication which is once communicated to
customer is only known to the customer. Where as second one is about
the information that bank internal system will communication with
customer as and when transaction happens on an iBanking device
given to customer by the bank. This information is nothing else but a
randomly generated iBSecure PIN for the transaction itself. Seems
interesting however has one limitation that if implemented for micro
payments will increase the transaction cycles as there will be multiple
time communication required between bank and the customer for
completion of one transaction. So conclusively it can be said that 2FA is
more useful for larger payments.

Roles & Responsibilities to Implement Proposal

State Bank of Pakistan
Regulatory authority for PEPS to bound local banking sector.
Banking Sector
Implement PEPS system so that integrated banking system through
internet.
Private Sector / Industry

PEPS a Payment Solution for E-Payments in Pakistan

by
Hammad Mushtaq
 Electronic portals should be developed keeping in view the PEPS
standards of information sharing standards.
Mobile Service Providers
Provide services to support PEPS such as GPRS based secure
information sharing that is viable for Mobile payments.

PEPS a Payment Solution for E-Payments in Pakistan

by
Hammad Mushtaq